Security at Radif
Law firms trust Radif with sensitive financial workflows, so security isn't a feature we added; it's how the platform is built. Here is exactly how your data is protected.
- Encryption in transit
- Every connection to Radif, from your browser and between our application and database, is encrypted with TLS. There is no unencrypted path to your data.
- Encryption at rest
- All data, including file attachments and backups, is encrypted at rest (AES-256) and resides in AWS's Canada (Central) region, on managed infrastructure provided by Supabase and Amazon Web Services.
- Tenant isolation
- Every record in Radif is tagged with your firm's identity. One firm can never read, write, or even infer the existence of another firm's requests, users, comments, files, or reports.
- Row-Level Security
- Isolation is not an application-code promise: it is enforced by the database itself on every single query, using PostgreSQL Row-Level Security. Even a bug in our application code could not cross firm boundaries, because the database refuses the query.
- Private file storage
- Attachments live in private storage, namespaced per firm, with the same database-enforced access rules. Files are served only through short-lived signed links to signed-in members of your firm, and uploads are limited to common document types with a size cap.
- Audit logging
- Every action on every request (submission, approval, rejection, reassignment, completion) is written to an append-only audit log with the actor and timestamp. Audit records cannot be edited or deleted in Radif, and the database itself enforces that rule.
- Authentication
- Sign-in is handled by Supabase Auth with securely hashed credentials and email verification. Sessions are short-lived tokens, refreshed automatically and revocable at any time. Disabled accounts lose access to data immediately, at the database layer.
- Role-based permissions
- Every capability (submitting, approving each request type, working the accounting queue, administering users) is an explicit permission checked in the database, not just hidden in the interface. Roles are convenient bundles of those permissions, and every firm controls who holds them.
- Backups
- The database is backed up automatically every day, with point-in-time recovery available on our infrastructure provider. Backups are encrypted and covered by the same access controls as production data.
- Disaster recovery
- Radif runs on managed, redundant infrastructure (Vercel and Supabase on AWS). If a component fails, it is replaced automatically; if a region has an incident, we restore from encrypted backups. Our schema and configuration are fully version-controlled, so the entire platform can be rebuilt reproducibly.
- Privacy commitment
- Your data belongs to your firm. We collect the minimum needed to run the service, we never sell or share it, we never train models on it, and staff access is limited to what's required to support you. If you leave, we export your data and delete it on request.
On our roadmap
As Radif grows with its customers, the following are planned and will ship as they are completed:
- Multi-factor authentication (MFA)
- Microsoft single sign-on
- SOC 2 Type II certification
- ISO 27001 alignment
- Independent penetration testing
Questions about security or privacy? We'll answer them directly. Contact us any time. Radif is a workflow tool and not legal or accounting advice; each firm remains responsible for its own compliance.